• Thursday, May 17, 2018

How to adapt the website to the GDPR

With the new provisions introduced by the GDPR for the protection of personal data and privacy, all companies that own a website and that process the information of their users, must comply with the European Regulation.

Request a consultation

Webmasters first and foremost aim at clarity of information to their users: each website must clearly show to all visitors the answers to questions such as:

  • Why does the site request personal data?
  • How are the data obtained and stored?
  • Can data be transferred to third parties and under what conditions?

GDPR and Website: right to delete personal data

Among the principles underlying data processing activities, there is evidence of adherence to the law: websites must prove that they have the legal basis for processing sensitive data. All the procedures must be modified in order to protect the user's rights, starting from the request for cancellation of personal data, which can be done at any time. To facilitate the procedure for requesting the deletion of personal data, it is necessary that a separate database is created for users' consent.

GDPR and Website: Log registration

GDPR compliance for new sites also requires the implementation of a visitor data verification system, with the possibility of immediate notification in case of risk of violation of personal data. A data-logging platform (log recorder) able to collect data, track the activities of the system administrator and the webmaster, associated with a software (or in the case of CMS plug-ins / modules) for access control and protection of data, can be the solution to this requirement.

GDPR and Website: right to be informed

The GDPR also requires respect for different types of user rights, first of all the right to be informed. Website owners must inform visitors and customers who are about to obtain information on sensitive data. Notices in this regard must be displayed clearly and easily understandable, even for children or minors. Site administrators must also divide between two categories, to distinguish data obtained directly from users and secondary data collected on the basis of information.

GDPR and Website: the rights of the interested party

Other fundamental rights of the user are the right of access, the right of rectification, the right to be forgotten, the right to limit the processing of private information, the right to data portability and the right of object to the processing of personal data . To ensure GDPR compliance, administrators can provide configuration mechanisms that lead to the recognition of these rights through automatically scheduled actions.

GDPR and Website: the newsletter

Newsletter subscription options and contact preferences must also be reorganized, in order to align with the new provisions, which no longer provide for the possibility of receiving the default consent. The modules will have to be readjusted, with a passage of sponsored messages and newsletters from opt-out (as it was often before) to optional opt-in. The same applies to "Terms of Service - Conditions" and also to the Privacy Policy.

GDPR and Website: the management of personal data

Once the consent and acceptance of the privacy policy and the conditions of use have been provided, the user must have the possibility to manage and withdraw them in a simple and immediate manner. A recommended approach is to create a user profile page, where everyone can independently manage any consent on private data collection and any sending of communications and newsletters. In summary form, it is possible to list the main steps to ensure a GDPR-compliant website, with the specific actions that administrators should follow:

GDPR and Website: checklist

  • Perform a verification of all personal data collected
  • Update the privacy policy
  • Make cookie alerts successful
  • Create simple opt-in processes that are granular (depending on the treatment)
  • Review the data acquisition feature
  • Update the Privacy Policy for emails
  • Make the possibility of managing / deleting data immediately
  • Applies an encryption level to the data physically present on the disk and the information in the databases
  • Check that all modules are not "flagged" by default. The user must confirm the sending of the information
  • Enables a procedure to facilitate the deletion of data of a particular user
  • Enables a procedure that guarantees data portability
  • Register and monitor system logs for administrators and webmasters